Return the constructed certificate chain in X509Certificate::Verify()

net/base/x509_certificate_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <cert.h>
 #include <cryptohi.h>
 #include <keyhi.h>
 #include <nss.h>
@@ skipping 150 matching lines @@
     case SEC_ERROR_EXTENSION_VALUE_INVALID:
       return CERT_STATUS_INVALID;
     default:
       return 0;
   }
 }
 
 // Saves some information about the certificate chain cert_list in
 // *verify_result.  The caller MUST initialize *verify_result before calling
 // this function.
-// Note that cert_list[0] is the end entity certificate and cert_list doesn't
-// contain the root CA certificate.
+// Note that cert_list[0] is the end entity certificate.
 void GetCertChainInfo(CERTCertList* cert_list,
+                      CERTCertificate* root_cert,
                       CertVerifyResult* verify_result) {
   // NOTE: Using a NSS library before 3.12.3.1 will crash below.  To see the
   // NSS version currently in use:
   // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*)
   // 2. use ident libnss3.so* for the library's version
-  DCHECK(cert_list);
+  if (!cert_list)
+    return;

[wtc, 2011/07/26 00:16:35]

Why do you want to allow cert_list to be NULL?
This is not necessary if you don't move the GetCertChainInfo
call.

Have you verified that cvout[cvout_cert_list_index].value.pointer.chain
can be used when PKIXVerifyCert fails?  It is uncommon
for a function to return outputs on failure, so I'm not
sure if PKIXVerifyCert does that.

[Ryan Sleevi, 2011/07/26 01:44:50]

Thanks for catching this. In digging down further into libpkix, I see that the
chain is not made available if there are any exceptions processing/validating.

This is incredibly unfortunate, because, combined with the error log not
containing any/all of the errors, it makes it nigh impossible to reliably
display the chain that was built with errors.

This should probably be fixed upstream, but like the error log, I don't think
this would be a trivial change to libpkix, based on how it builds/evaluates
chains.

For this reason, I removed the check on line 214-215, since it represents an
impossible condition. I left the check in for lines 218/219, but removed the
comment, because I believe it's reasonable to expect that NSS may change this
behaviour in the future, and a root cert may not always be available.

+
+  CERTCertificate* verified_cert = NULL;
+  std::vector<CERTCertificate*> verified_chain;
   int i = 0;
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
-       node = CERT_LIST_NEXT(node), i++) {
+       node = CERT_LIST_NEXT(node), ++i) {
+    if (i == 0) {
+      verified_cert = node->cert;
+    } else {
+      verified_chain.push_back(node->cert);
+    }
     SECAlgorithmID& signature = node->cert->signature;
     SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm);
     switch (oid_tag) {
       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
         verify_result->has_md5 = true;
         if (i != 0)
           verify_result->has_md5_ca = true;
         break;
       case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
         verify_result->has_md2 = true;
         if (i != 0)
           verify_result->has_md2_ca = true;
         break;
       case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
         verify_result->has_md4 = true;
         break;
       default:
         break;
     }
   }
+
+  if (!verified_cert)
+    return;
+
+  // If the chain was not trusted, |root_cert| may be NULL.
+  if (root_cert)
+    verified_chain.push_back(root_cert);
+  verify_result->verified_cert =
+      X509Certificate::CreateFromHandle(verified_cert, verified_chain);
 }
 
 // IsKnownRoot returns true if the given certificate is one that we believe
 // is a standard (as opposed to user-installed) root.
 bool IsKnownRoot(CERTCertificate* root) {
   if (!root->slot)
     return false;
 
   // This magic name is taken from
   // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
@@ skipping 548 matching lines @@
 
 X509Certificate::OSCertListHandle
 X509Certificate::CreateOSCertListHandle() const {
   return CERT_DupCertificate(cert_handle_);
 }
 
 int X509Certificate::Verify(const std::string& hostname,
                             int flags,
                             CertVerifyResult* verify_result) const {
   verify_result->Reset();
+  verify_result->verified_cert =
+      CreateFromHandle(cert_handle_, GetIntermediateCertificates());
 
   if (IsBlacklisted()) {
     verify_result->cert_status |= CERT_STATUS_REVOKED;
     return ERR_CERT_REVOKED;
   }
 
   // Make sure that the hostname matches with the common name of the cert.
   SECStatus status = CERT_VerifyCertName(cert_handle_, hostname.c_str());
   if (status != SECSuccess)
     verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
@@ skipping 18 matching lines @@
   ScopedCERTValOutParam scoped_cvout(cvout);
 
   bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED);
   if (check_revocation) {
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
   } else {
     // EV requires revocation checking.
     flags &= ~VERIFY_EV_CERT;
   }
   status = PKIXVerifyCert(cert_handle_, check_revocation, NULL, 0, cvout);
+
+  GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
+                   cvout[cvout_trust_anchor_index].value.pointer.cert,
+                   verify_result);
+
   if (status != SECSuccess) {
     int err = PORT_GetError();
     LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname
                << " failed err=" << err;
     // CERT_PKIXVerifyCert rerports the wrong error code for
     // expired certificates (NSS bug 491174)
     if (err == SEC_ERROR_CERT_NOT_VALID &&
         (verify_result->cert_status & CERT_STATUS_DATE_INVALID) != 0)
       err = SEC_ERROR_EXPIRED_CERTIFICATE;
     int cert_status = MapCertErrorToCertStatus(err);
     if (cert_status) {
       verify_result->cert_status |= cert_status;
       return MapCertStatusToNetError(verify_result->cert_status);
     }
     // |err| is not a certificate error.
     return MapSecurityError(err);
   }
 
-  GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
-                   verify_result);
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
   AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain,
                         cvout[cvout_trust_anchor_index].value.pointer.cert,
                         &verify_result->public_key_hashes);
 
   verify_result->is_issued_by_known_root =
       IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
 
@@ skipping 172 matching lines @@
 
 // static
 bool X509Certificate::WriteCertHandleToPickle(OSCertHandle cert_handle,
                                               Pickle* pickle) {
   return pickle->WriteData(
       reinterpret_cast<const char*>(cert_handle->derCert.data),
       cert_handle->derCert.len);
 }
 
 }  // namespace net